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Abstract 

Quantum secret-sharing protocols involving N partners (NQSS) are key distribution protocols in which 
Alice encodes her key into N ~ 1 qubits, in such a way that all the other partners must cooperate in 
order to retrieve the key. On these protocols, several eavesdropping scenarios are possible: some partners 
may want to reconstruct the key without the help of the other ones, and consequently collaborate with 
an Eve that eavesdrops on the other partners' channels. For each of these scenarios, we give the optimal 
individual attack that the Eve can perform. In case of such an optimal attack, the authorized partners 
have a higher information on the key than the unauthorized ones if and only if they can violate a Bell's 
inequality. 

1 Introduction 

In the rapidly growing field of quantum information, the first protocol that has almost reached the level of 
application is quantum cryptography , a beautiful solution to the important problem of secure communi- 
cation. The authorized partners Alice and Bob can establish an absolutely secure communication provided 
that they share a common sequence of bits (the key), unknown to anybody else: this is the very principle 
of the so-called secret-key cryptographic schemes. In 1984, Bennett and Brassard proposed a way of 
distributing the key in a physically secure way by using quantum physics: their protocol bears the acronym 
BB84, and was the first protocol of quantum cryptography — from now on, we shall use the more precise 
name of quantum key distribution (QKD). In the intuition of Bennett and Brassard, security is provided by 
the well-known feature of quantum mechanics: "measurement perturbs the system"; or, under a different 
viewpoint which is equivalent, by the no-cloning theorem. In 1991, Ekert |^ proposed a QKD protocol that 
uses entangled particles, and stated that the violation of Bell's inequality might be the physical principle 
that ensures security. This view was challenged by Bennett, Brassard and Mermin H], who showed that 
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Ekert's protocol is actually equivalent to the BB84 protocol, that involves single particles. A link between 
security of QKD and Bell's inequalities was nevertheless noticed in further studies ||, ^J. 
The plan of this paper is as follows. In Section 2, we consider two-partners QKD. The material of this 
section is not new in itself, but the approach is; moreover, it is a useful introduction to the following 
Sections. In Section 3, we define the N-partners protocols that we consider. Several eavesdropping scenarios 
can be imagined on these protocols, and we give Eve's optimal individual attack in each case. In Section 
4, we introduce a family of M-qubit Bell's inequalities (Mermin-Klyshko inequalities), and we discuss the 
link between the violation of these inequalities and the security of the N-partners protocol. Section 5 is a 
conclusion. 



2 QKD involving two partners 

2.1 The BB84 protocol 

The BB84 protocol of quantum key distribution between two partners, Alice and Bob, is characterized by 
the fact that two complementary bases are used to encode the bits. In the original version of the BB84 
protocol 1^, Alice prepares a qubit into a randomly chosen eigenstate of Ox or of ctj,, and sends it to Bob. 
Since we want to discuss Bell's inequalities, we consider the following preparation method Alice has 
an EPR source that produces a maximally entangled state, say |<I>+) ~ --i=(|00) + |11)), where |0) and |1) 
are the eigenstates of a^- On her side, Alice measures randomly or <jy on one qubit. The moment at 
which Alice performs her measurement is irrelevant; in particular, she can measure her qubit immediately 
after it leaves the source. This way, Alice's measurement acts as a preparation of the second qubit, which 
goes to Bob through a quantum channel. Bob also measures either Ux or Uy. If he measures the same 
observable as Ahce, his result is perfectly correlated to hers, since {ux ® <Jx)<s>+ = ^{<^y ® cry)<s>+ = 1; if he 
measures the other observable, he has no information on Alice's result, since {(Tx®o'y)<i>+ = {o'y(So'x)^+ — 0. 
At the end of the transmission, for each qubit Alice and Bob reveal publicly the measurement that they 
performed (but of course not its result). They simply discard those cases where they have measured different 
observables, and they end up with two identical lists of random bits. Bob's information on Alice's bits is 
measured by the mutual information I{A : B), defined as H{A) + H{B) — H{AB) = H{A) — H{A\B), where 
H{{pi}) — —J2iPi^'^S2Pi is the Shannon entropy. Therefore, in the absence of eavesdropping, H{A\B) ~ 
since knowing the list of B is equivalent to knowing the list of A; and since Alice is supposed to choose her 
measurement randomly, H{A) — 1; whence I{A : B) — 1, as it should. 

2.2 Security and mutual information 

The security of a key-distribution protocol based on quantum mechanics comes from the no-cloning theo- 
rem. Suppose that Eve tries to eavesdrop on the quantum channel linking Alice and Bob: she cannot get 
information on the state that is sent on the channel without introducing perturbations, that should reveal 
her presence to the authorized partners. If A and B observe the presence of the spy, in most cases they can 
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still perform some operations that ultimately lead them to share a secret key. More precisely |7|] A and B 
can run a one-way protocol known as privacy amplification if and only if 

I{A : B) > min[/(A : E), I{B : E)] . (1) 

This is the condition that we ask for security. In fact, it has been shown that this condition is not strictly 
necessary: even if it does not hold, there exist a protocol allowing the extraction of a secret key ||]. But 
this protocol, called advantage distillation, is a two-way protocol, much less efficient than one-way privacy 
amplification. 

The natural problem is now: for a given error rate that is introduced on Bob's information, that is, for a given 
value of I {A : B), find the attack of Eve that optimizes her information on Alice's key, I {A : E). The answer 
is not known in all generality; but it is, if we restrict the analysis to individual attacks This means that 
Eve acts separately on each qubit that is sent on the quantum channel, i.e., she does not perform coherent 
measurements of subsequent qubits. To date, it is not known whether a more general attack would be more 
efficient, only bounds are known |^ — as for the experimental state-of-the-art, even the implementation of 
individual attacks would be a great challenge. 

It has been shown |lo| that Eve can perform the optimal individual attack having a single qubit as resource, 
by implementing the following unitary transformation affecting her and Bob's qubits (by convention, we 
supposed that Eve prepares her qubit in the state |0)): 

UbeIOO) = |00) 

Ube\10} = cos^llO) + sin0|Ol) 
where |00) etc. are shorthand for \0)g^ |0)^ etc.; (j> E [0, ^] characterizes the strength of Eve's attack. Note 
that the roles of B and E are symmetric under the exchange of 4> with ^ — (/). Due to eavesdropping, the 
three-qubit state of A, B and E reads 

|*2i(</')) = ^(|OOO)+cos0|llO)+sin?!)|lOl)). (3) 
v2 

(the labeling means that we consider a 2-partners protocol in which 1 partner is spied by Eve). By tracing out 
one of the qubits, we obtain the density matrices pab, Pae and psE that describe the statistics of each pair. 
Let then M, N e {A, B, E}, M ^ N, be two of the three partners. We want to calculate I{M : N). In general, 
we must consider two statistics: the statistics obtained when M and N measure ax, and the statistics Py 
obtained when M and N measure ay-, and I{M : iV) = 1 - ^[HxiM\N) + Hy{M\N)]. Here, after calculation 
one finds that both statistics are the same, whatever the pair. Moreover, p{M 0, iV = 0) = p{M = 1,N = 
1) and p{M = 0, iV = 1) = p{M = 1, iV 0). Writing Dmn = p{M ^0,N ^ 1)+ p{M = 1, TV = 0) the 
probability that the bit of AI is different from the bit of A^, wc find finally 

IiM:N) = 1-H{{Dmn,1-Dmn}) (4) 

with 

n 1 — cos(/) j-i 1— sin(^ 7-1 1— sin2rf) 

E>AB = ' = ' ^BE = 2 — ' ^ ' 

In figure |l|, we plotted I {A : B) versus min[/(yl : E),I{B : E)]: we see that the condition for security (^ is 
fulfilled if and only if < f . 
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2.3 Violation of a Bell's inequality 

Having the three density matrices PAB^ Pae and pbe derived from the three-qubit state (^), we can also 
investigate whether one or more pairs violate a Bell's inequality for a given value of (f). Given a set of four 
unit vectors a — {ai, a 'j^, 02, 02}, we build the two-qubit Bell operator 

'82(0) = (cTai + Cr„. ) (g) aa^ + (da, - (7a'J ® CT^ (6) 

with da = d ■ (T. The CHSH inequality reads S'2 = maxa Tr(pS2(a)) < 2, while the maximal value 
allowed by QM is ^2 = 2\/2 The calculation of S'2 using the Horodecki criterion can be carried out 
explicitly for the three pairs, and we find 

Sab = 2V2 cos (j> , Sab = 2^/2 sin , Sss = V2 sin20 . (7) 

Therefore the pair A-B violate the inequality if and only if the pair A-E does not violate it, and the curves 
cross at = j, exactly were the security condition ceases to be fulfilled (fig. As for the pair B-E, it never 
violates the inequality. The fact that the curves Sab and Sae cross at </i = ^ is an immediate consequence 
of the symmetry of the attack (|^); but what is interesting is that they cross precisely for Sab — Sae = 2. 
In other words: simply using the symmetry, we could have guessed that I{A : B) > I{A : E) if and only if 
Sab > Sae', but here we found that Eve's optimal attack is such that A and B can establish a secret key 
using one-way privacy amplification iff Sab > 2, i.e., iff they violate the CHSH inequality. This coincidence 
was already stressed in ^ . 

It has recently been shown that the analysis of the BB84 protocol holds unchanged even if we suppose that 
Eve controls the source [Q. Also, in the case of the six-state protocol for QKD the violation of CHSH 
is still a sufficient, but no longer a necessary condition. In conclusion, a tour d'horizon of the two-partners 
QKD protocols with qubits shows that the violation of the CHSH inequality is a sufficient condition for 
security. In Section 4, we generalize this statement to protocols in which the key is distributed among more 
than two partners. The next section is devoted to the definition of these protocols. 



3 QKD involving N partners: definition, and eavesdropping 
3.1 The N-partners secret-sharing protocol 

The QKD protocol can be generalized to more than two partners in several ways. For instance, one may 
think of a protocol in which Alice sends information to Bob and Charlie so that she can choose a posteriori 
with whom a secret key will be established. Here we consider another family of protocols, based on the 
following idea: Alice sends information to her — 1 partners Bi, B^-i in such a way that all of them 
must cooperate in order to retrieve the secret key, and any smaller subset of Bobs has no information on 
the key. More formally, this means that the bipartite mutual information I{A : Bi, ...,Bk) must be for 



fc < — 1, and 1 for k = N — 1. Such protocols exist, and are called secret- sharing protocols |16 . 

Now, take k + 1 of the partners and divide the partners into three non-empty groups A, B and C. In general, 

it holds I{A : BC) = I{AB : C) + H{B\C) - H{B\A). But in the protocols that we are considering, if we 
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Measure of A 


Result 


State of BC 


fx 


+ = 






- = 1 




ay 


+ = 






- = 1 





Table 1: Preparation of the state of BC by measurements of A. 

know only A, we have no information on B, since we lack the information of C; thus H{B\A) — H{B). 
Similarly, H{B\C) — H{B). Consequently for secret-sharing protocols we have I{A : BC) = I{AB : C) = 
IiA:Bi,...,Bk). 

The quantum version of a secret sharing protocol involving N partners (NQSS) goes as follows: Alice's 
source produces the N-qubit GHZ state IGHZat) = ^(|0^)^ + |1^> J, with |0^)^ = |0)^ (g) ... (g) |0)^, and 
= (g) ... (g) Alice measures cTx or ay on one of the qubits, and sends the other qubits to her 
partners -Btv-i- Each Bob also measures either a^ or ay. At the end of the transmission, all partners 

communicate publicly their measurements. Each time that an even number of partners have measured ay, 
the results exhibit the desired correlation. In fact, consider a measurement where all partners measured a^'. 
each partner has one bit sa, sbi, ss„_i, where s = ±1. Since {ax (g ... (g ax)GHZ = 1, these N bits must 
satisfy sasbi---SBn-i — 1- Consequently, if all the Bobs cooperate, they know Alice's bit sa — ssi ...sbn-i ! 
and if one or more of the Bobs refuses to cooperate, then the other Bobs have strictly no information on 
what Alice has sent. 

Before studying Eve's optimal individual attacks on NQSS, we introduce the useful notations 
These notations may seem misleading, since 

|0^):r' 10^)?; ^ud y arc uot product states like |0^)^ 

and ll^)^, but GHZ states. It will become evident in the following why such notations are indeed suited to 
our analysis. 

3.2 Optimal eavesdropping for 3QSS 

For clarity, we discuss in all detail Eve's attacks in the case = 3, that is, on the quantum secret shar- 
ing protocol proposed in Alice's authorized partners are called Bob and Charlie. Two scenarios for 
eavesdropping can be imagined. 

Scenario 1. An external Eve tries to eavesdrop on both channels A-B and A-C, in order to gain as much 
information as possible on Alice's message. For the analysis of this scenario, it is convenient to suppose that 
Alice measures immediately ax or ay on her qubit. This way, she prepares the two-qubit state that is sent to 
Bob and Charlie, according to Table |l|. If we forget the difference in the physical realization of the flying bit 
and stick to the information content of what is being transmitted, this eavesdropping scenario is identical to 
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Meas. of A and B Result 


State of C 


Meas. of A and B Result State of C 


CTj; (g) ax ++ 


|0). 


O-y ® Ox ++ |0)y 


+ - 


|1>. 




-+ 









|o>. 


10), 




10). 


ay® ay ++ |1)^ 


+ - 


ID, 


+- lo). 




|i>. 


-+ |o). 




10), 


|1). 



Table 2: Preparation of the state of C by measurements of A and B. 



the eavesdropping on the BB84 protocol. Therefore we know an individual attack that maximizes I{A : E) 
for a given I {A : BC): it is given by (||), replacing |0) with jO'^)^ on Bob's side. Note that this attack is 
"coherent", in the sense that Eve attacks coherently the two qubits flying to B and C; but is nevertheless 
an "individual" attack, since each pair of qubits is attacked separately form the other pairs. This concludes 
the study of scenario 1. 

Scenario 2. Bob docs not want to cooperate with Charlie in order to retrieve Alice's message. Consequently, 
he collaborates with an Eve that tries to eavesdrop on the line A-C. In this scenario, two triples come into 
play: A-B-C and A-B-E, and the meaningful information measures are I {A : BC) and I {A : BE). Just as in 
the analysis of scenario 1, it is useful to recast the protocol in the following form: by measuring ax ot: ay, A 
and B prepare the state of the qubit that is sent to C. The preparation is given in Table ^. The bits flying 
on the channel A-C are exactly in the same physical state as in a BB84 protocol. The conclusion here is 
not as straightforward as for scenario 1 however, because the individual attack (||) optimizes for I{AB : E) 
with respect to I{AB : C), while we need the attack that optimizes I {A : BE) with respect to I [A : BC). 
But I{AB : C) = I{A : BC) and I{AB : E) = I{A : BE) hold even in the presence of the eavesdropper: in 
fact, B and C are not correlated before the eavesdropping, and E is not correlated with A and B; therefore 
H{B\A) = H{B\C) = H{B\E) = H{B). 

3.3 Optimal eavesdropping for NQSS 

The same argument can be worked out for any eavesdropping scenario on NQSS, for arbitrary N . One the 
one side, as discussed, even under eavesdropping, it holds that I{ABi...Bf^_n-i '■ ^jv-n---^Af-i) — ■ 
Bi...Bpf_i). On the other side, conditioned to the measurements of ax and ay hy N — n partners, the n 
other partners can only receive one of the four states |0")^, |1")^, |0")j,, U"),- In f^ct, take as an example 
the case where all the N — n partners measure ax- The N-qubit GHZ state |GHZjv) can be rewritten as (we 
neglect normalization) 

r), + in^ ^ (io). + ii)j^*''~"^io"). + (io),-ii)j^^"^""V"). = 

= (even number of l^'s) <S) |0")^ + (odd number of l^r's) ® \^^}x ■ 
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Then, conditioned on the result of the measurement of Ux on the first N ~ n qubits, either jO")^ or is 
sent to the remaining n partners. The case where some of the N — n partners measure Uy is analogous; the 
states that are prepared are |0")^ or if an even number of partners measure ay, |0")j^ or otherwise. 

In conclusion, we have shown that, for all possible eavesdropping scenarios on NQSS protocols. Eve can 
perform the optimal individual attack having a single qubit as resource. The interaction that describes the 
optimal individual attack on n channels is 

|l"),®|0)^ cos0|l«)^®|O)^ + sin</>|O"),0|l)^ 

where € [0, ^] measures the strength of the interaction. Of course, this interaction is presumably more 
complicated when she eavesdrops on several channels (like in scenario 1 for 3QSS), since she must have 
her qubit interacting coherently with all flying qubits. For the attack (^, the mutual information for the 
authorized and for the unauthorized partners, la and /„ respectively, can be calculated explicitly; it is not 
astonishing that the result is 

la = IiA:Bi,...,BM-i)=lN=2iA:B) = l-H{{DAB,l-DAB}) (9) 
/„ = I{A:Bi,...,BN-n-i,E)^lN=2{A:E)^l-H{{DAE,l-DAE}) (10) 

with Dab and Dae given by (^. So again by symmetry la > lu if and only if (j> < j. To our knowledge, 
privacy amplification has not been studied in secret-sharing protocols; in particular, it is not clear if there is 
still a huge difference in efficiency between "one-way" and "two-way" protocols. It seems however obvious 
that the set of partners having the highest mutual information can run some protocol to extract a secret 
key. 



4 Violations of Bell's inequalities 
4.1 Multiqubit Bell's inequalities 

In the case iV = 2, we saw that la > lu if and only if the authorized partners violate the CHSH inequality, 
that is if > 2 > S'„. We extend this result to all NQSS protocols. 

The number of inequivalent BI grows rapidly with M, the number of qubits. We restrict to the family 
of inequalities obtained when only two measurement are performed on each qubit, which are the natural 
generalization of the CHSH inequality. Even with this restriction, the number of possible inequalities grows 
as 2^*^; but recently, the inequalities in this family have been completely classified by Werner and Wolf JTzt . 
In particular, these authors have shown that in this family one can find some inequalities that are "optimal" 
under several respects. These optimal inequalities are nothing but the so-called Mermin-Klyshko inequalities 
(MKI) proposed some years ago These are the M-qubit BI that we are going to consider in this 

work. 
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Let a be a set of 2M unit vectors. The Bell operator that enters the MKI for M qubits is defined recursively 
as 

where is obtained from Bm by exchanging all the oj, and a J,. The maximal value for product states is 
{Bm) ~ 2; quantum correlations allow {Bm) > 2, up to (Bm) — 2~2^, obtained for M-qubit GHZ states. 
It is important to stress another property of MKIs Let p be a M-qubit state, and suppose that 

you can find a decomposition p ~ ^iPiPi such that in all pi at most m < M qubits are entangled (not 
necessarily the same ones in each pi): then {Bm)p < . In other words, if 2'^ < {Bm)p < 2"^— ^ the 
inequality for product states is violated, but this violation is weak, in the sense that it can be achieved 
with m-qubit entanglement. Now, for MQSS to work, p must be "close" to IGHZm), that is, must exhibit 
"strong" M-qubit entanglement. Thus in all that follows we shall say that a M-qubit state p violates the 
MKIii the violation is higher than the one that could be achieved with M-1 qubits, that is, if {Bm) p > 2"^. 

4.2 Violation of MKI in NQSS 

We consider the state that is generated in an eavesdropping scenario on NQSS. As usual, Alice is the sender. 
Some of the receivers would like to retrieve Alice's message without the other n partners to know it; they 
ask then Eve to spy on those lines. We call Bobs Bi, Sjv-n-i the partners that collaborate with Eve, and 
Charlies Ci, C„ those that are spied. In the quantum protocol, each partner has a qubit, so we consider 
a system of + 1 qubits. We write the Hilbert space as Hab 'S) Ti-c ^He- We have demonstrated in the 
previous section that under Eve's optimal attack the state shared by the A^ -f 1 partners becomes (we drop 
the subscript z) 

\^Nn) = (|0^-")|0")|0) + cos0|l^-")|l")|O) + sin0|l^-")|O")|l)) . (12) 
v2 

Let pabc — Pa and pab e — Pu be the density matrices of the authorized and of the unauthorized partners 
that are derived from |^jvn)- We have Sa ~ maxa_Tr(SAr(a)pa) and 5„ — maxQ_Tr(SAr_„+i(a)p„). In the 
absence of a criterion like Horodeckis' |]l3j, it is difficult to perform the optimization that gives S, even for 
the particular state that we consider. We found an explicit result when A^ and n have different parity, and 
relied on numerical optimization for the other cases. These results are given in Appendix A. Within these 
warnings, we can safely state that the following holds: in the NQSS protocol, whatever the number n of 
honest partners that are eavesdropped by Eve: 

la > h if and only if > 2^ ; (13) 

and in this case Su < 2 2 . This is the exact analog of the result obtained for N = 2: in case of optimal 
attack by Eve, the authorized partners have a higher information than the unauthorized ones if and only 
if they violate the MKI. In other words, to within the warnings above, we have proved the Conjecture put 
forward in a previous work |21| . 
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4.3 MKI and the structure of the Hilbert space 

The main feature of the hnk between optimal eavesdropping and the violation of MKIs is that the authorized 
partners violate the inequality if and only if the unauthorized partners don't. Of course, it is trivial to loosen 
this link: non-optimal attacks can easily be found in which neither set of partners violate an inequality. Thus 
so far we have met only states of qubits characterized by the following property: if a set Ai of M qubits 
violate a MKI, then all other sets of qubits having an overlap with M do not violate a MKI. A natural 
question is: is this property true for all possible states of qubits? If the answer were positive, then for any 
given state the violation of MKIs would define a unique partition of the set of qubits, into subsets of " strongly 
entangled" qubits. This would provide an astonishing link between the violation of MK inequalities and the 
structure of the Hilbert space. 

However, the answer to this question turns out to be negative. The simplest counterexample is provided by 
a system of four qubits A,B,C and D, where it is possible that both triples (A,B,C) and (B,C,D) violate the 
Mermin's inequality. For example, for a w 0.955, the state cosa(|0011) + |1100) + i|0101) + i|1010))/2 + 
sma (i|1001) + |llll))/\/2 gives Sabc ~ Sbcd = 3, obviously higher than 2\/2 which is the bound for a 
three-qubit violation. We have found numerically several more examples in which a violation of MKIs by 
two overlapping sets is allowed; these results are listed in Appendix B. Interestingly, there are also some 
cases in which a double violation is not possible: thus there is indeed a link between the violation of MKIs 
and the structure of the Hilbert space, although this link may be difficult to unravel. Possibly a stronger 
link could be found by using more general inequalities. 

In the meantime, the link between violation of MKI and security is strengthened by these remarks. In fact, 
even though there exist states in the Hilbert space that would allow double violations of MKI, these states 
can never be produced in any eavesdropping scenario |^ . 

5 Conclusion 

We have demonstrated a link between the security of some quantum key distribution protocols and the 
violation of some Bell's inequalities. Precisely: in a secret-sharing protocol, the authorized partners have 
a higher mutual information than the unauthorized ones if and only if they violate a Mermin-Klyshko 
inequality. Whether this result is valid for other protocols, or for other inequalities, is an open question 
worth investigating. 

All the protocols described in this paper can be implemented using qubits. It is a current field of investigation 
whether higher security can be achieved using higher-dimensional quantum systems |^^ . Now, for such 
systems, no satisfactory Bell inequality has been found yet; the link with cryptography may provide a 
pathway to some new advances in this direction. 
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Appendix A 

We want to calculate Sa — maxa Tr(_BAr(a)/3a) and 5*11 — ma.XaTr{BN-n+i{(l)Pu), where pa — pabc and 
Pu — PABE derived from the state \^Nn) defined in ([l^). We discuss first the calculation of Sa- 
Let B = BN{a) ts- Then we have Sa — maxa (5'Arn|S|^Ar„). Now: 

{^Nn\B\^Nn) = ^ [(0^ | SjV |0^) + COS^ (1^ | 1 1^) + Sin^ (l^^-"0" I^AT 1 1^-"0") + 

+ cos0((l^|e^v|O~)+c.c.) 

But {1^\Bn\1^) = (-1)^(0^ \Bn\0^) and (l"-"0"|SAr|l^-"0") = (-l)^""(0^|67v|0^), as can be easily 
verified from the definition of Sat. Therefore 

Sa = max (/Ar„(0) Boo(a) + cos</>Bio(a)) (14) 

where Boo = (0^|SAr|0^), Bio ~ Re(l^|SAr|0^), and where the function fNn{<t>) is positive and depends on 
the parity of N and n. Before discussing it in detail let's see why the calculation of Sa is not trivial. We 
know that there are sets a of unit vectors that saturate the bound i?io(a) = 2~2— ; but for these we find 
^00(0) = 0. Similarly, the sets a that saturate the bound i3oo(a) — 2 give -Bio(a) = 0. Thus to calculate Sa 
we cannot optimize both Boo and Biq: we must know whether it is better to optimize one of the two and 
letting the other go to zero, or if we must find an intermediate value. Numerical estimates suggest that the 
first strategy is the good one. However, by considering all possible values of fNn{<t>) we can get some more 
insight 

N + \ 

• For N odd and n even, fNn{4>) = 0. Consequently the maximization is immediate: Sa = cos0, 
that goes below the limit 2"^ precisely for cf) = j. 

• For TV even and n odd, fNn{(p) = cos^ (j). Therefore Sa < cos0 maxa (Boo(a) + Bio(a)). But since N 
is even. Boo (a) + Bio (a) = (GHZ | Sat (a) | GHZ), that can reach 2~2— . Consequently the bound can be 

N + l 

achieved, and we have again Sa = '2 2 cos </>. 

• For both N and n odd, jNn{4') — sin^ 0; and for both N and n even, fNn{4>) = 1- For these cases, we 
did not find any argument leading to a simple estimate of Sa- However, several numerical estimates 



strongly suggest that 5*0 = max 2 2 cos0, 2fNn{4') 
again crossed for = -1. 



In particular, the boundary S" = 2 2 is once 



The same discussion can be made for Su, replacing by ^ — by iV' — n + 1 and nhy n' = 1. 

Therefore n' is always odd. If N and n have different parities, then N' is even, and we have certainly 
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N — n+1 

Su = 2 2 sin(j). If TV and n have the same parity, then N' is odd as n' , and we are left with numerical 
arguments. 

In conclusion, the condition for security ([T^ ) has been rigorously demonstrated for N and n of different parity. 
Note that this case includes the case where n ^ N — 1, that is the case of an external Eve and no dishonest 
Bob. For the cases where N and n have the same parity, we did not find a conclusive demonstration. However, 
both numerical arguments |^ and formal analogies (the structure of the states is identical) strongly suggest 
that (ll3) holds in these cases too. 



Appendix B 

Consider a set /C of fc qubits, and let A4 and Af be two different but overlapping subsets of /C containing 
respectively m and n qubits. For definiteness, take m < n. For a given |^) G TitC: we write p_\f and pM the 
density matrices for the qubits in the two subsets obtained from |^')('I'| by partial traces. We ask if it is 
possible to find a state I^E") E Hic such that 

S'_V = maxTr(p;V' 'S„(a)) > 2~ and = niaxTr(p» Sm(A)) > 2~ 

where a and A are sets of, respectively, 2n and 2m unit vectors. To tackle this question, we define the 
observable 

Vknm = Bn{a) «) + 2^1fc_™ (g) ^^(A) . 

The computer program maximizes the highest eigenvalue of Vknm over all possible choices of a and A. If the 
highest eigenvalue does not exceed 2 x 2"/^, then it is impossible to find a state that allows both SV > 2"/^ 
and Sm > 2"/^. The results of the numerical calculations that we performed are listed here (for clarity, we 
print in boldface the common qubits): 

• max(S'A_B + Sac) = 4: double violation impossible (Theorem 1 in [2l|). 

• max(5ABC + Sade) — 4^2: impossible (Theorem 2 in [2l||). 

• max(5ABC + Sabd) — 6.0945 > 4^2: possible (Theorem 3 in see main text for a state that gives 
a double violation). 

• max(S'ABC + V^Sad) = 4\/2: impossible. 

• max(5ABC + V2S'ab) = 6.9282 > 4^2: possible, e.g. for the state ^(|000) +cosa|lll) +sina|110)), 
ae]0,f[. 

• max(5A_BCD + Sadef) = 8: impossible. 

• max(S'ABCD + Sabef) ~ 8.612 > 8: possible. 

• max(5ABC_D + S'abcb) = 8: impossible. 

• max(5A_BCD + 2 5a_e) = 8: impossible. 
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• max(5ABCD + 2S'ab) = 9.7566 > 8: possible. 

• max(S'ABCD + V^Saef) ~ 8: impossible. 

• max(S'ABCD + V^Sabe) = 6\/2 > 8: possible. 

• max(S'ABCD + V^-Sabc) = 9.6566 > 8: possible. 

• max(S'ABCi5£; + Sabfgh) = 12.088 > 8\/2: possible. 

• max(5ABC_D_E + S'abcfg) = 8^2: impossible. 

• max(5ABCD£; + S'abcd.f) = 8\/2: impossible. 

• max(5ABCi5£; + 2S'abf) = 12.18 > 8\/2: possible. 

In these examples, double violations appear to be possible when one set is completely contained into the 
other one i.e. A4 C JV, or when Card(Al nW) = 2. Of course, it is difficult to guess general rules from these 
observations, since we have explored only the cases n, m = 2, 3, 4 and some cases with n, m 
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Figure 1: Bell parameter S and mutual information / for the two-partners QKD protocol BB84. The security 
criterion (nl) is satisfied if and only if Sab > 2. 
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